feat(v2): operation audit log; deprecate the v1 bash tool (v2.1.0)#4
Merged
Conversation
Audit log (new internal/audit package): - Every privileged mutating operation — account create/delete, and install/uninstall/upgrade — is appended as one JSON line to a root-owned, append-only /var/log/linux-temp-admin/audit.log (0600, O_NOFOLLOW), recording time, actor (SUDO_USER when present, else root) + effective uid, pid, action, target, result, and key params (host/sudo/auto/registered/fingerprint). - Best-effort: a write failure is warned but never blocks or fails the operation. - Wired into the CLI via App.Audit (audit.Default()); disabled (no-op) when unset, so existing tests are unaffected. e2e test asserts create+delete are logged. v1 (bash) deprecation: - temp-admin.sh prints a bilingual deprecation notice at startup pointing to v2 (suppress with LTA_SUPPRESS_DEPRECATION=1, which tests/unit.sh sets) and carries a DEPRECATED header. Still runs; no further features/fixes. Docs: READMEs mark v1 deprecated and document the audit log; CHANGELOG v2.1.0. Verified: gofmt/vet clean; full suite (unit + root/integration + -race) green; production audit path smoke-tested via a real install/uninstall (root:root 0600 JSON lines with the correct actor). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two requested changes for v2.1.0.
1. Operation audit log (new
internal/audit)Every privileged mutating operation is appended as one JSON line to a root-owned, append-only
/var/log/linux-temp-admin/audit.log(0600, openedO_NOFOLLOWin a root-safe dir):time(RFC3339 UTC),pid,actor(theSUDO_USERbehind the operation, elseroot),uid(effective),action,target,result,detail, and params (host/sudo/auto/registered/fingerprint,force, …)App.Audit(audit.Default()); a nil logger is a no-op, so existing tests are unaffectedExample:
{"time":"2026-07-08T09:35:18Z","pid":2079231,"actor":"alice","uid":0,"action":"install","result":"ok","detail":"/usr/local/sbin/linux-temp-admin"}Limitation (documented): an on-host log is tamperable by root — forward to a remote collector for tamper-evidence.
2. Deprecate the v1 bash tool
temp-admin.shis no longer maintained: it prints a bilingual deprecation notice at startup pointing to v2 (suppress withLTA_SUPPRESS_DEPRECATION=1, whichtests/unit.shsets so its assertions stay stable) and carries aDEPRECATEDfile header. It still runs; no further features/fixes. READMEs updated.Verification
gofmt/go vet -printf.funcs=...clean;go build ./...OK.-race(newaudittests + e2e asserting create/delete are logged).bash -n,shellcheck -S warning, andtests/unit.shall pass; warning shows on stderr, stdout stays clean, suppressible.install/uninstall:/var/log/linux-temp-admin/audit.logwrittenroot:root 0600with the correct actor.CHANGELOG: v2.1.0.
🤖 Generated with Claude Code